REMARKS 

Claim 1-28 are pending in the present application, and Applicant wishes to thank 
the Examiner for agreeing with Applicant's previous distinctions and for withdrawing all 
previous rejections. However, the present Office Action has continued to reject all 
claims 1-28 on new grounds. Specifically, the Office Action stated that "In view of the 
Appeal Brief ... prosecution is hereby reopened." Applicant would like to point out, 
however, that no new arguments were presented in the Appeal Brief. Instead, the 
Appeal Brief merely repeated Applicant's previous arguments. 

Rejections Under 35 U.S.C. § 101 

The present Office Action has, for the first time, asserted rejections under 35 
U.S.C. § 101. Specifically, the Office Action has rejected claims 17-20 under 35 U.S.C. 
§ 101, as allegedly being non-statutory. Applicant would be agreeable to an Examiner's 
amendment to amend each of the "logic" elements to proceed each "logic" term with a 
modifier of "computer" or "semiconductor" (such that the elements would read 
"computer logic ..." or "semiconductor logic ..."). However, Applicant has not made any 
such amendment herein, as Applicant believes the claims (in their present form) are 
fully compliant with the statutory requirements of 35 U.S.C. § 101 . Further, Applicant 
does not wish to amend the claims in a way that may lead to some other objection or 
rejection. Therefore, Applicant solicits the Examiner's recommendation on this. Again, 
Applicant believes the current claims are in good and proper form. Indeed, the U.S. 
Patent & Trademark Office has issued numerous patents with this very "logic" claim 
language (see e.g., U.S. patent 7,296,283 - issued on Nov. 13, 2007: claim 1 defining 
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"logic to authorize ..."). The undersigned sees not relevant difference (from a 35 U.C.C. 
§ 101 perspective) between the claim language issued in that patent and the claim 
language at issue in this application. In accordance with the Administrative Procedures 
Act, the U.S. Patent Office (as an administrative agency) cannot act in an arbitrary and 
capricious manner, and must treat all Applicants equally. The rejection of claims 17-20 
in this application is inconsistent with such a policy. 

Furthermore, Applicant would like the Examiner to clarify why this rejection has 
not been made previously. As these claims have never been amended since their 
original filing with this application, Applicant is confused as to why this rejection is just 
now being raised for the first time. As the statutory language of 35 U.S.C. § 101 has not 
changed, Applicant would like to know if the Patent Office's construction of this statutory 
provision has changed, or if the initial examination of these claims was not conducted in 
accordance with MPEP 707.07(g) {i.e.., "Piecemeal examination should be avoided as 
much as possible. The examiner should ordinarily reject each claim on all valid ground 
available ...") 

Independent claims 1, 17, and 21 

The present application contains three independent claims: claims 1,17, and 21. 
The Office Action has rejected each of these claims under 35 U.S.C. § 103(a) as 
allegedly unpatentable over the combination of U.S. patent 6,092,196 to Reiche in view 
of U.S. published application 2002/0083178 to Brothers. For at least the following 
reasons, Applicant disagrees. 
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Again, and as an initial matter, Applicant notes that the presently pending claims 
have not been amended during the prosecution of this application, and the present 
rejections are based on newly cited art. It therefore appears that the initial search and 
examination was not fully conducted in accordance with MPEP 904.02 et seq. 

With regard to independent claim 1 , claim 1 recites: 

1 . A method for authenticating a Web session comprising: 
receiving a user ID; computing a message digest of the user ID; 
computing an expiration timestamp for the session; 
selecting an index number, 

combining the message digest and expiration timestamp; 
accessing an encryption key using the index number; 
encrypting the combined message using the accessed 
encryption key, and 

converting the encrypted message into an ASCII string. 

(Emphasis added.) Applicant respectfully submits that claim 1 patently defines over the 

cited art for at least the reason that the cited art fails to disclose the features 

emphasized above. 

The undersigned submits that there are a number of distinctions in the 
embodiment of claim 1 , but several features are particularly distinctive over the cited art. 
In addition, the undersigned respectfully submits that the Office Action has taken an 
overly expansive view of certain claim features in forming the rejection. 

To begin, the Office Action admits that Reiche does not teach either: "selecting 
an index number" or "accessing an encryption key using the index number." However, 
the Office Action DOES allege that Reiche teaches encrypting the combined message 
using an encryption key (citing col. 10, lines 21-23). This rejection, however, ignores a 
expressly claimed feature. In this regard, if Reiche doesn't disclose accessing an 
encryption key using the index number, then Reiche CANNOT disclose "encrypting the 
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combined message using the accessed encryption key." Indeed, the cited portion of 

Reiche (col. 10, lines 21-23) specifically stated that the encryption is performed "using a 

simple private key encryption algorithm." Consequently, Reiche actually teaches away 

from a system that provides the security offered by the authentication method of claim 

1 . For at least this reason, the rejection of claim 1 is deficient and should be withdrawn. 

As noted above, the Office Action cites paragraph [0104] of Brothers for 

disclosing the claimed features of "selecting an index number" and "accessing an 

encryption key using the index number." Applicant respectfully disagrees. In fact, this 

cited portion of Brothers teaches: 

[0104] The memory 44 can store an operating system that permits the 
processor 42 to communicate with the memory 44, communication 
interface unit 46, the input device 48, the output device 50, and the data 
storage unit 26, via the bus 52. The memory 44 stores various program 
modules containing computer code executed by the processor 42 to 
perform various functions in coordination with the operating system. More 
specifically, the memory 44 stores a secure URL generator module, an 
access right enforcer module, a secure caching module, a communication 
module, and optionally a user authentication module. The memory 44 also 
stores a secure resource key database that includes key data and 
resource access right data. Furthermore, the memory 44 can store user 
authentication data including username/password data in which case the 
user authentication module performs the functions of the session layer in 
the ISO/OSI model IEEE specifications. The secure URL generator 
module is executed in response to a request signal from the WAD 12 
requesting a web page document. The request signal can be initially 
handled by the communication module that manages reception and 
transmission of signals over the network 18 in coordination with the 
operating system. The secure URL generator module is executed by the 
processor 42 to retrieve the requested web page document, and to find 
any URL(s) within the web page document. The secure URL generator 
module retrieves key data and resource access right data for the 
URL(s) from the secure resource key database. The secure URL 
generator module secures the resource access right data using the 
key data. If more than one key is used in the system 10, the secure URL 
generator module can also append key index data indicating the key to be 
used by the RDS 1 6 to verify a request to access the resource from the 
WAD 12. The secure URL generator module combines the resource 
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access right data with its corresponding URL in the web page document. 
The secure URL generator module calls the communication module that 
handles transmission of the web page document having URL(s) with 
resource access right data, to the WAD 12. The access right enforcer 
module is launched by processor 42 upon receiving a resource request 
signal from the RDS 16. The access right enforcer module determines 
whether the RDS 16 is authorized to receive the requested resource. If so, 
the access right enforcer module calls the secure caching module that 
retrieves the resource from the data storage unit 26 and retrieves key data 
corresponding to the RDS requesting the resource. The secure caching 
module encodes the resource with the key data, and caiis the 
communication module to transmit the encrypted resource to the 
requesting RDS. The communication module generates a signal including 
the encrypted resource and transmits such encrypted resource to the 
communication interface unit 46 for transmission to the RDS 16. The input 
device 48 and output device 50 can provide a graphical user interface 
(GUI) in connection with a server program (not shown) that permits an 
operator of the web server 44 to perform administrative tasks such as 
loading or updating the operating system and various program modules, 
web page document(s), data, and resource(s) stored in the memory 44 
and the data storage unit 26. 

(Emphasis added). 

First, Applicant notes that Brothers is not directed to authenticating a Web 
session, and as such is nonanalogous art to the present application and the system of 
Reiche. Further, as emphasized above in paragraph [0104], Brothers does not appear 
to teach "accessing an encryption key using the index number." Instead, Brothers only 
relevantly teaches that "secure URL generator module secures the resource access 
right data using the key data." It does not appear to teach accessing an encryption key 
by using a selected index number. 

For at least the foregoing reasons, even if Reiche and Brothers could be properly 
combined, the resulting combination does not teach all of the claimed features and 
limitations of claim 1 . Consequently, claim 1 patently defines over the combination of 
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Reiche and Brothers. For at least this reason, the rejection of claim 1 should be 
withdrawn. 



As a separate and independent basis for the patentability of claim 1 , Applicant 
submits that the combination of Reiche and Brothers is improper. In this regard, the 
Office Action combined selected teachings of Brothers with Reiche to reject claim 1 on 
the solely expressed basis that "it would have been obvious ... because it would 
increase security because using a different key for each session makes the same 
log in information appear different for each session, making it more difficult to 
break the encryption scheme or perform a replay attack." (see e.g., Office Action, 
pp. 4-5). The rationale (or motivation) for the combination, however, was not derived 
from the prior art itself, but rather from the Examiner's subjective viewpoint of a 
perceived benefit that would result IF the combination were made. 

This rationale is both incomplete and improper in view of the established 
standards for rejections under 35 U.S.C. § 103. 

In this regard, the MPEP section 2141 states: 

Office policy has consistently been to follow Graham v. John 
Deere Co . in the consideration and determination of obviousness under 
35 U.S.C. 103. As quoted above, the four factual inquires enunciated 
therein as a background for determining obviousness are briefly as 
follows: 

(A) Determining of the scope and contents of the prior art; 

(B) Ascertaining the differences between the prior art and the 
claims in issue; 

(C) Resolving the level of ordinary skill in the pertinent art; and 

(D) Evaluating evidence of secondary considerations. 
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BASIC CONSIDERATIONS WHICH APPLY TO OBVIOUSNESS 
REJECTIONS 

When applying 35 U.S.C. 103, the following tenets of patent law 
must be adhered to: 

(A) The claimed invention must be considered as a whole; 

(B) The references must be considered as a whole and must 
suggest the desirability and thus the obviousness of making the 
combination; 

(C) The references must be viewed without the benefit of 
impermissible hindsight vision afforded by the claimed invention and 

(D) Reasonable expectation of success is the standard with which 
obviousness is determined. 

Hodosh v. Block Drug Co.. Inc .. 786 F.2d 1 136, 1 143 n.5, 229 USPQ 
182, 187 n.5 (Fed. Cir. 1986). 

The foregoing approach to obviousness determinations was recently confirmed by the 

United Stated Supreme Court decision in KSR INTERNATIONAL CO. V. TELEFLEX 

INC. ET AL. 550 U.S. (2007)(No. 04-1350, slip opinion, p. 2), where the Court 

stated: 

In Graham v. John Deere Co. of Kansas City, 383 U. S. 1 (1966), 
the Court set out a framework for applying the statutory language of §103, 
language itself based on the logic of the earlier decision in Hotchkiss v. 
Greenwood, 11 How. 248 (1851), and its progeny. See 383 U. S., at 15- 
17. The analysis is objective: 

"Under §1 03, the scope and content of the prior art are to be determined; 
differences between the prior art and the claims at issue are to be 
ascertained; and the level of ordinary skill in the pertinent art resolved. 
Against this background the obviousness or nonobviousness of the 
subject matter is determined. Such secondary considerations as 
commercial success, long felt but unsolved needs, failure of others, etc., 
mightbe utilized to give light to the circumstances surrounding the origin 
of the subject matter sought to be patented." Id., at 17-18. 

Simply stated, the Office Action has failed to at least (1) ascertain the differences 

between and prior art and the claims in issue; and (2) resolve the level of ordinary skill 

in the art. Furthermore, the alleged rationale for combining the two references 

embodies clear and improper subjective hindsight rationale. Furthermore, the two cited 
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references actually teach away from such a combination. In this regard, Reiche 
specifically teaches "using a simple private key encryption algorithm" (col. 10, lines 22- 
23) and Brothers is not even directed to Web session authentication. For at least these 
additional reasons, Applicant submits that the rejections of claim 1 is improper and 
should be withdrawn. 

With regard to independent claims 17 and 21 , those claims are defined by 
elements that, in all relevant respect, parallel the defining elements of claim 1. Indeed, 
the Office Action applied the same portions of Reiche (col. 10, lines 14-23) and Brothers 
(paragraph [01 04]) as teaching the claimed features of claims 1 7 and 21 , as were 
applied to the rejection of claim 1 . Furthermore, the Office Action stated nothing 
additional about the motivation for combining Reiche and Brothers, with respect to 
claims 17 and 21 . Therefore, it is assumed that the rationale for the combination is the 
same as that advanced in connection with claim 1 . Therefore, Applicant submits that 
the rejections of claims 17 and 21 should be withdrawn for the same reasons as the 
rejection of claim 1 . 

Dependent Claims 

Claims 2-1 6, 1 8-20, and 22-28 depend from independent claims 1,17, and 21 , 
respectively and patently define over the cited art for at least the same reasons that 
these claims contain all limitations of the base claims from which they depend. 
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AUTHORIZATION TO DEBIT ACCOUNT 

It is believed that no extensions of time or fees for net addition of claims are 

required, beyond those which may otherwise be provided for in documents accompanying 
this paper. However, in the event that additional extensions of time are necessary to allow 
consideration of this paper, such extensions are hereby petitioned under 37 C.F.R. § 
1.136(a), and any fees required therefor (including fees for net addition of claims) are 
hereby authorized to be charged to Hewlett-Packard Company's deposit account no. 08- 
2025. 

Respectfully submitted, 

/Daniel R. McClure/ 

Daniel R. McClure 
Registration No. 38,962 

(770) 933-9500 

Please continue to send all future correspondence to: 

Hewlett-Packard Development Company, L.P. 
Intellectual Property Administration 
P.O. Box 272400 

Fort Collins, Colorado 80527-2400 
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